Legit question: What can an ISP collect when most of the time I'm going to secure "https:" websites? I mean, they can only see the website I'm going to, but not what is going on there, right?
Is just collecting where people are going that lucrative to sell?
The DNS data is super useful for developing a demographic profile.
For example, they could pretty trivially assert with high confidence that a pregnant woman is in your home or that you’re shopping for a car. The tinfoil hat scenarios are interesting as well.
There's what websites/apps you use, but also your behavior patterns. Are you a night owl? How often do you check some website or app. I'm sure there's a lot of other information they do gather based on the "metadata"
Not what they can, what they MUST as required by law. Assuming US, see DTA aka CALEA - at any time little green men with a warrant can ask for tranparrent packet capture of ISP client's traffic.
Also, in many places (Europa) there is collection and retention requirements for ISPs.
That + other data can be used to build a behavorial profile so it's not what your ISP is doing necessarily but what the people they sell the data to are doing with it (or the people they sell to)
DNS records and net flow data. They can also inject JS in http sites, hijack domaijs to do the same, do traffic shaping. But I am biased, I work for a VPN company.
Spooky23|1 year ago
For example, they could pretty trivially assert with high confidence that a pregnant woman is in your home or that you’re shopping for a car. The tinfoil hat scenarios are interesting as well.
lordofgibbons|1 year ago
eviks|1 year ago
112233|1 year ago
Also, in many places (Europa) there is collection and retention requirements for ISPs.
agieocean|1 year ago
eptcyka|1 year ago